I am very new to creating webservers - and I have had several goes at trying to understand them and write a quick webserver, but it's never quite 'clicked'. At ... |
I currently work on a Java web application that has relies on a permissions mechanism to manage user content. This of course means that we need to manage users. Our current ... |
I'm writing on a Java EE project which will have everything from 3-6 different clients. The project is open source, and I wonder what security mechanisms one could/should use. The problem ... |
We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to ... |
We are developing a j2ee application backed by any database of customer choice. We will sell to customers based on per user license price. How do I make sure, the application ... |
I am trying to figure out what some legacy code is doing. What exactly is this line doing, and why would I need it this way?
String lineSeparator = (String) java.security.AccessController.doPrivileged(
...
|
Is it sufficient to secure a Java web application with the rights of the user that is running the application server process or is it reasonable also to use SecurityManager with ... |
|
I am planning to run a java web application and solr in the same java container. I want the web application to be publicly accessible but solr to be accessible only ... |
if you use Java EE 6 container managed security, you can configure security constraints for resources inside the web.xml deployment descriptor. Are there alternative ways to do this?
For example the container ... |
I tried creating custom security and policy as given here:
http://download.oracle.com/docs/cd/E15523_01/relnotes.1111/e10132/owsm.htm#CIADFGGC
when I run the service client custom assertion is executed, returning successfully.
public IResult execute(IContext context) throws WSMException ...
|
we are doing XSRF fixes for our code. we are using the session token to request token comparison method to achieve this. in case when session token is not equal to ... |
We are using security exits in WebsphereMQ 6.0 to provide security in java clients connecting to MQ and MQ - MQ connectivity. We use security exits to provide secure way to ... |
I am working with jsp/servlet project and i have to complete the module of access management to my jsps since I have more than one user with different profile.
I defined a ... |
When you run a Java Servlet Container that you would like to serve both static and dynamic content on port 80 you have the classic question of whether to run the ... |
I have a set of three web application systems - A, B & C that are used to service my application. The A system has the core business logic and ... |
I have been given a WSDL to generate a client against which uses a security policy. This is my first time using a security policy and although I've read about ... |
I'm developing a Java Enterprise application, currently doing JEE-Security stuff to restrict access for particular functions to specific users.
I configured the application server and everything, now i'm using the RolesAllowed-annotation ... |
I am working on a project that requires that i implement a mechanism for controlling data access to the content that displayed on the pages.
First off to clarify, i am ... |
I'm planning to distribute an application over the internet with Java Web Start, and I'm aware that I'll need to sign the application to enable certain security privileges (network connections, dynamic ... |
I read most of the documentation, I only see the use of @RolesAllowed or @DeclareRoles, how can I add user or delete user. I have a table of users with username ... |
I am running a simple Java client to connect to a remote MQ queue.
- When I run the Java code to read write messages with Alias queue name, it works fine.
- When ...
|
At a recent interview, I was asked:
Open source web app (say built on Struts/Spring) is more prone to hacking since anyone can access the source code and change it. How do ... |
I have a application that is trying to put a message to a queue(LOG.TRANSACTION.IN) on a remote queue manager. The message ends up failing with a 2035 and is put ... |
All I need is a simple login page that will check against the username and password of a simple User entity class.
Is that possible with JAVA EE6? In the tutorials they ... |
I received a request from my users that they want is a common "portal" for any web applications from my development group. Currently, if we have X number of web apps, ... |
Recently we implemented OWASP security solutions with OWASP.jar. After this, our application was working fine in IE 7 and Firefox 3.5. But the application is not working in Safari 4.0.5 or ... |
Sorry, this is not a question about a specific programming language, but i need opinion on this. Please don't vote for close.
where do I learn about detecting vulnerabilities from the scratch?
I ... |
This question is similar to Exploitable PHP Functions.
Tainted data comes from the user, or more specifically an attacker. When a tainted variable reaches a sink function, then ... |
For an java web application, I got this error when using JRE 1.6.0_22, however, it works fine when using JRE 1.6.0_13.
I searched in google, and find the there is a security ... |
I'm using JSF 2 with Glassfish 3 and I'm about to configure access control. As I understand it, this is done in web.xml with security-constraint containing web-resource-collection and auth-constraint. Lets say ... |
I've done some searching and found lots of answers that don't quite give me what I'm looking for, so here goes.
Firstly I'm looking into an area I'm not really familiar with, ... |
I am playing around with the java .policy file and was wondering how I could go about doing something like preventing calls to java.util.Date(), as an example.
I just want to get ... |
I have a webapplication which id like to host online. The user logon consists of a hashed password which is saved in the db and verified via the code, simple but ... |
I am working on a large JEE web-app with CRM functionalit and we are looking for a security approach/library/solution/anything. Basic role-based security won't work since access control must be based on ... |
I need to use (at the moment) some java apis that -unfortunatelly- can be "configured" only via jvm properties.
I understand that this can affect multithreading, since it can be the case ...
|
I have a question that pops up occusionally.
I am trying to debug some jdk apis using eclipse.
I have tried:
1) Using the jre inside jdk (containing the jdk src) as the jre ...
|
I have an application that needs to log "application log messages" to an appender and "security log messages" to another appender (security log messages cannot appear in the application log). I ... |
I create web service
@WebService(serviceName = "DynamipsService2")
@Stateless()
public class DynamipsService2 {
@WebMethod(operationName = "StartSession")
public static String StartSession(@WebParam(name = "key") String key) {
...
|
Consider this code:
class DatabaseAction(/* ... */) {
public void deleteUser(User userToDelete, User currentUser) {
/* ... */
}
}
Is it possible to add an aspect-based ... |
Consider this method:
@Access(rights = GUEST)
public void foo() {
doSomething();
}
This pointcut basically matches if the method has an @Access annotation:
pointcut check() :
execution(@Access * *(..));
But how can I access the field ... |
Consider this code:
class DatabaseCommands {
@Privilege(ADMIN)
public void delete(Something thingToDelete, User currentUser) {
/* ... */
...
|
i ran my application for security compilance in veracode tool.
And whenever the tool find any logging it detected as a flaw in code
And the flaw says below quote
Improper Output Neutralization for ... |
I have a problem with security in Java EE.
I have an application that supposed to be a kind of e-shop. I have three entities:
User class that is not mapped into ... |
I am writing a Java client (on weblogic 10.3) to invoke a secure web service.
I have been provided with a client certificate which I have installed in cacerts, DemoIdentity.jks and DemoTrust,jks
In ... |
I would like to create a rest architecture for an e-commerce website application.
In fact, there would be :
- the front office web site
- the back office web site which acts as a content ...
|
When an unauthenticated user request some resources, he will be redirected to a login page but j_security_check will keep the original requested resource. If the user login successfully, it will be ... |
I'm following the JEE6 tutorial and am reading the part related to security. In the examples, the user management is done using the features provided with the ... |
I am completely new to Container managed security and need some help with configuring it in my web application.
I want to restrict access to the jsp's within my web application. This ... |
I have read the Get Started guide provided by RabbitMQ and have even contributed the sixth example to stormed-amqp, so I have an inkling of knowledge about ... |
I have remote web-service which is secured with X.509 certificate.
I generated web-service client stuff (using jax-ws) but need to configure if for the certificate's usage.
How should I proceed?
I guess I should ... |
I use IBM Websphere Application Server 6.1 and my login screen have controls as:
<form action="j_security_check" method="POST">
User Name: [ Admin ...
|
I was reading some article on Java Security, and came across uses of java.policy files for granting permission to the source code coming from different code sources.
My question is, do we ... |
I use a JDBC form based security realm, and i want to implement a logout, but when i click on the link i see this exception:
java.lang.RuntimeException: java.security.AccessControlException:
access ... |
I'm going to deploy my webapp (WAR) in a server machine. But, server machine is in client people hand, and they take database dump(so new data can be created), and WAR ... |
Hi all. Having some issues setting the attributes for securing a web service. I am using NB 6.5 and Glassfish 2.1. In the Quality of Service Tab I enable the Secure ... |
Hi, i've the following method to encrypt a password and addthe pair(login,hashedPassword) to a hash table. When later i try to compare the byte value of(hashedPassword) in the Hashtable to the ... |
Using form-based authentication with j_security_check in glassfish. The first logon works. User presses back button. The second logon fails. The browser URL after the second logon fails is http://(mydomain/j_security_check. "404 Not ... |
The question has nothing to do with NetBeans and you may have more luck getting a meaningful response in one of the Glassfish forums. I had recently the same problem (but ... |
I'm trying to run sample applications from http://archive.moreservlets.com ilustrating basic and form based web application security. I've create the security realm in my Glassfish server and created a few user with ... |
Hi Techy, This may be related to a problem I have found with IE and Ajax. Here is the message that I put up for my users: Due to a quirk ... |
Thanks. While it did not change the behavior or IE it inspired me to switch to Mozilla. And, with Mozilla, at least when I manually delete the password cache it does ... |
The question has nothing to do with NetBeans and you may have more luck getting a meaningful response in one of the Glassfish forums. I had recently the same problem (but ... |
I have a relatively large Applet that runs in the browser, but just recently won't run in applet viewer. (In fact nothing will run, even simple blank applets). NB 6.8, Jdk ... |
Dear developers, I have already mentioned this earlier, but my question did not receive any attention. I am observing bizzare netbeans behaviour, which may be a bug. Full Netbeans distribution v 6.9.1 Apache Tomcat (comes with netbeans) 6.0.26 How to recreate: 1. create new empty Web Application project, select Apache Tomcat for deployment. 2. right click Apache Tomcat server in Services ... |
|
How do I setup SSL for a Web Service in a Java Enterprise Application? In a Web Application I add a Security Constraint in web.xml, but what about Enterprise Applications? There's no web.xml there. I noticed i can add a standard deployment descriptor (ejb-jar.xml). I'm not sure if it's the same as web.xml and i don't know where i should put ... |
Hi, I'm developing a soap web service client that asserts a signed saml assertion token, then signs and encrypt the entire message. The wsdl file for the service indicates those, so I set up everything by setting the web service's attribute. When I print the soap request out, I can see that the message is indeed encrypted and signed. However, the ... |
|
However when I try to run the server I get errors java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkConnect(SecurityManager.java:1034) at java.net.Socket.connect(Socket.java:513) at java.net.Socket.connect(Socket.java:469) at java.net.Socket.(Socket.java:366) at java.net.Socket.(Socket.java:180) at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:22) at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:128) at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595) at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198) at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184) at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322) at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source) at java.rmi.Naming.rebind(Naming.java:160) at examples.network.StudentEnrollment.main(StudentEnrollment.java:24) It seems that the policy file is not being ... |
Setting it in the pom doesn't necessary mean it'll apply to your app. It means, there's a property in your Maven project. How are you using Ehcache? In a stand alone app? in a webapp? How do you start the app? Or are you running as Maven test? posting your pom.xml would help here. If you're using Linux, you can check ... |
I think that you may use a variable in your session. Once you are logged, you set the variable to true (if the login is correct, of course). Every time that you access a ressource, you must first check if your variable is set to true, if not you redirect to login.html, else you continue your business logic. I think there ... |
|
I'm planning out an admin section for a web site I'm working on, and security is something I have a question about. Typically, I'd set a String to session when a user logs in and check for that variable on every "admin page". This works ok, but the session doesn't always die out until they close the browser window (even after ... |
Hello, What are the basic securing methods(implementations) that should be noticed when coding JSP/Servlet/Filter based Web applications? I don't mean just https connections, but things like: login securing URLs that are not meant to used directly security options in web.xml global errorpages defined to web.xml to catch exceptions groups access rights How these are usually handled in Web Application? Are there ... |
|
|
Hi Sejal, this probably varies a little according to what Servlet container you're using. But in general, you'll probably want to get a certificate and configure your app server accordingly. This will let you use https. As for security constraints and other stuff, just follow the standard (declaring security constraints and such in your servlet container's config file) |
|
Hi, I am trying to implement web app security. I have a web-app called security running on my tomcat. I am able to implement authentication and authorization,but am not able to implement data confidentiality. The problem that I am running into are listed below: 1) Whenever I try to implement data confidentiality, I get a page cannot be displayed error. But ... |
|
|
I've tested and used the tomcat-user.xml file in conjunction with the tags in DD to limit access to certain pages. Using this method, I've defined username, passwords and roles in the tomcat-user.xml file. I was wondering how this is handled in bigger applications where it wouldn't be efficient to declare all users ... |
Hello everybody I'm reading a lot about Webapp Security in the Moment and I try to implement this the official way with and Realms and so on. I have two parts in my Webapp I need to secure URLPattern: /command/admin/* and /command/client/* My Problem is: Can I use different Login-Pages for this two Sections? Something like multiple ? Because the ... |
I'm trying to set up application security for a project I'm working on and I'm running into a bit of difficulty. In my deployment descriptor, I have this: mainSecurity SecureStrutsActions /*.do GET POST administrator CONFIDENTIAL FORM /html/login.html /html/error.html administrator What I'd really like to have happen is ... |
In oracle database there are three methods for implementing row/column level security : - views and access control over these views. - Virtual Private Database. - Oracle Label Security. But all of them use the user account utilized to logging into database. The context of my question is : user --> webServer --> EJBserver --> DataBase In a application server (oracleAS, ... |
|
I have no knowledge about j2ee security but I am giving it a second look now. I have been studying this for a while now but cant get my head to understand all the concepts. I have been involved in web projects that runs on the company's local Intranet only. As I have checked, there's no security constraints appended to it. ... |
I am assigned a task to work on Portal based upon Portlet 2.0 that will be deployed on Tomcat using Jetspeed 2.2.1. However in future this must be deployable on other portlet servers like IBM WebSphere. In first step I have to work out the possible security model for the application. Major requirements for security: - Based on some standard - ... |
To expand on Madhan's recommendation: packet sniffing isn't the issue. Unless every millimetre of the cable between client and server are physically isolated, people can sniff packets. Even then you're not totally safe, since tricks like monitoring the "radio noise" generated by computers and network equipment have been done. The key is to make the "sniffed" data unusable, and that means ... |
Our ALUI Portal is hosted in IIS. For security reasons, we have now included Site Minder. After enabling the site minder, the portlet applications configured in the Portal is not coming up. Getting the following error " cannot be displayed because the remote server returned an invalid HTTP response code.". Please help me know, how this can be fixed. Thanks, Saveetha ... |
Hi, I have setup a StripesSecurityFilter class which handles authorization and authentication for my site. It works great, but as i am now going back and cleaning up and refactoring some code, i'm realizing it would be great if i could access the ActionBeanContext class from my StripesSecurityFilter class. This is because currently the StripesSecurityFilter class uses hard coded strings such ... |
Hello, I am fairly new to Java. Just needed a advise from you. Say suppose i made roles in my web.xml as well as configured login and error page. Now when unauthenticated user comes to site login page is displayed. Then the user enters username and password. But how to determine from the password and username that the user belongs to ... |
1) The "Pages (regular)" pages may not need to be secure but the forms generated and submitted to the server MUST be done using HTTPS using POST. 2) The session attribute will be identified by a session Cookie (or something similar). This needs to be impossible to intercept or forge or you are wide open. 3) You should have a 'timeout' ... |
Hello, I'll soon be developing a web application in which security is a major concern, and I'd like some advices about some technologies I'm evaluating to get the job done. I couldn't get comparisons on security power offered by each. - Web tier: I have some experience on JSP and JS; besides HTTPS, JSF seems to provide better, out-of-the-box, support for ... |
It happens because you haven't granted yourself one or more permissions that log4j needs to initialize itself. Run your program with -Djava.security.debug=access,failure to see what permission(s) it requires and add them to your security .policy file. I find it a bit odd that you have a server log and a client log in the same class, i.e. in the same JVM. ... |
hi, I am getting this exception in jini . Please give me solution. what steps is required to solve this problem. how to set ExecOptionPermission is existing policy. rmid: (WARNING) restart service throws: java.security.AccessControlException: access denied (com.sun.rmi.rmid.ExecOptionPermission -Djava.security.policy=c:\policy) at sun.rmi.server.Activation$DefaultExecPolicy.checkPermission(Activation.java:1857) at sun.rmi.server.Activation$DefaultExecPolicy.checkExecCommand(Activation.java:1747) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at sun.rmi.server.Activation.checkArgs(Activation.java:1369) at sun.rmi.server.Activation.access$400(Activation.java:118) at sun.rmi.server.Activation$GroupEntry.getInstantiator(Activation.java:1166) at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1090) at sun.rmi.server.Activation$GroupEntry.restartServices(Activation.java:800) ... |
To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be ... |